2013 News & Events (Archive)

December 27, 2013

1 Product from Beijing Topsec Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE's formal
CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the
CVE-Compatible Products and Services page on the CVE Web site. A total of
159 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

The CVE List is now publishing CVE content using the
Common Vulnerability Reporting Framework (CVRF). Developed by the Industry Consortium for Advancement of Security on the Internet (ICASI), CVRF is an XML-based standard that enables software vulnerability information to be shared in a machine-parsable format between vulnerability information providers and consumers. Having vulnerability information in a single, standardized format speeds up information exchange and digestion, while also enabling automation.

"Presenting the CVE List in CVRF format will make it easier for people to access CVE content instead of having to use our custom format," said Steve Christey Coley, principal information security engineer at MITRE and editor of the CVE List. "We hope this will encourage others in the security community to share vulnerability information using a standardized machine-readable format."

Mark Cox, senior director of Product Security at Red Hat: "Red Hat provides CVRF representations of our security advisories and we make heavy use of data provided by the MITRE CVE project. Having their data in a common standard format will help us and others consume it."

Dustin Childs, group manager of Microsoft Trustworthy Computing: "Customer protection is a priority for Microsoft, and adoption of the new standardized CVRF format extends customer access to crucial information about CVEs. We are pleased to support an advance that makes it easier to understand and address vulnerabilities."

Mike Schiffman, applied researcher, Cisco Systems and ICASI CVRF Working Group chair: "Cisco, a founding member of ICASI and CVRF working group chair, is happy to help MITRE deploy the de-facto standard for the automated creation and consumption of machine-readable vulnerability documentation."

Mary Ann Davidson, chief security officer for Oracle Corporation: "Oracle has been publishing CVRF since early 2012 for all vulnerability communications. We are delighted that MITRE will be providing CVE information in CVRF format, as it will further enable the sharing of security information in a machine-readable format, thus allowing organizations to more quickly and efficiently react when security vulnerability information is published."

"Because vulnerability information comes from many diverse sources, a common format makes it easier to analyze and import data without having to create custom tools or to do so manually," added Christey. "Encouraging the use of CVRF means CVE and other vulnerability information consumers can reduce the effort needed to support the wide variety of formats currently in use. And because of its adoption by major vendors, CVRF has a better chance of success compared to earlier efforts, particularly as the need grows for automated exchange of vulnerability data."

3 Products from 2 Organizations Now Registered as Officially "CVE-Compatible"

Three additional information security products
from two organizations have achieved the final stage of MITRE’s formal
CVE Compatibility Process and are now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the the
CVE-Compatible Products and Services page on the CVE Web site. A total of
142 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

IBM declared that its vulnerability management product, IBM QRadar Vulnerability Manager, is CVE-Compatible. For additional information about this and other
CVE-Compatible products, visit the
CVE-Compatible Products and Services section.

4 Products from SecPoint Now Registered as Officially "CVE-Compatible"

Four additional information security products have achieved the final stage of MITRE’s formal
CVE Compatibility Process and are now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization’s listing on the
CVE-Compatible Products and Services page on the CVE Web site. A total of 155 products to-date have been recognized as officially compatible.

The following products are now registered as officially "CVE-Compatible":

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

This announcement is being made now so that users will have enough time to change their processes and software to handle the new ID syntax.

NEW CVE-ID SYNTAX

The new CVE-ID Syntax is "CVE prefix + Year + Arbitrary Digits" and will begin at four (4) fixed digits and expand with arbitrary digits only when needed in a calendar year, for example, CVE-YYYY-NNNN with 4 digits, and if needed CVE-YYYY-NNNNN with 5 digits, and so on. The year, or YYYY, indicates the year the CVE-ID is issued to a CVE Numbering Authority (CNA) or when the issue is first disclosed to the public.

This syntax selection also means there will be no changes needed to previously assigned CVE-IDs, which all include 4 digits.

Examples of the New CVE-ID Syntax with 4, 5, and 7 digits are included below:

As initially announced in the January 24, 2013 article "Call for Public Feedback on Upcoming CVE ID Syntax Change," due to the increasing volume of public vulnerability reports, the CVE Editorial Board determined that the Common Vulnerabilities and Exposures (CVE) project needed to change the syntax of its standard vulnerability identifiers so that the CVE List can track more than 10,000 vulnerabilities in a single year. The current syntax of four fixed digits, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year.

The initial plan called for a period of public feedback, followed by a formal vote by members of the CVE Editorial Board. However, as explained in the May 3, 2013 article "Status Update on the CVE ID Syntax Change," two rounds of voting were required as the initial vote held by the Board in April 2013 resulted in a tie. The initial vote was among three proposed options, with the tie occurring between Option A that extended the available numbering space to 6 digits, and Option B that extended the available numbering space to an arbitrary number of digits (learn more about the original three options). After discussion with the CVE Editorial Board, MITRE proposed dropping Option C from consideration and holding a second vote with only two options, the current Option B and a slightly modified Option A that extended the available numbering space to 8 digits (learn more about the final two options). The second vote was held in May 2013 and resulted in "Option B, CVE prefix + Year + Arbitrary Digits" winning the vote by receiving 15 of the 18 votes cast.

Additional information about the upcoming CVE-ID Syntax Change will be posted on the CVE Web site in the coming months. In the meantime, please address any comments or concerns to cve-id-change@mitre.org.

CVE-ID Syntax Change Infographic Now Available

An infographic explaining the Current (i.e., "old") CVE-ID Syntax versus the New CVE-ID Syntax being implemented on January 1, 2014 is included below.

MITRE to Host CVE Booth at Black Hat Briefings 2013 on July 27 – August 1

MITRE will host a "Strengthening Cyber Defense" booth that includes CVE at
Black Hat Briefings 2013 at Caesar’s Palace in Las Vegas, Nevada, USA, on July 27 – August 1, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CVE Team will be in attendance. Please stop by Booth 242 and say hello!

CVE is mentioned in a section about the impact of the uncertainty in vulnerability statistics, when the author states: "A major source of confusion is the wide range of flaw counts. Recent reports from Sourcefire and Symantec, for example, were based on vulnerabilities tallied from the National Vulnerability Database and its collection of flaws that have a Common Vulnerability and Exposures (CVE) identifier. Thus, the two reports had very similar numbers: 5,281 and 5,291, respectively. On the other hand, the Open-Source Vulnerability Database (OSVDB) seeks out a large number of additional vulnerability reports and posts the highest bug counts -- 9,184 for 2012, 75 percent higher than that reported by Sourcefire. Other vendors that have their own sources of vulnerability data typically land between the two extremes. Hewlett-Packard’s Zero-Day Initiative, which buys information on serious software security issues, claimed to have found 8,137."

The article also quotes Steve Christey, who states: "At the very least, it is important that people understand the limitations of the data that [is] being used and be able to read reports based on that data with a sufficient dose of skepticism."

CVE Mentioned in Article about Self-Defending Networks on NetworkWorld.com

CVE, TAXII, and STIX are mentioned with regards to standards when the author discusses what he says are the three steps that are needed to realize "self-defending networks," including embracing standards, continuous monitoring, and acceptance of security automation: "Embracing standards. The secure cyber ecosystem concept is built on top of the Secure Content Automation Protocol (SCAP) leveraging a number of standards like Common Vulnerabilities and Exposures (CVE, Common Configuration Enumeration (CCE), and Common Platform Enumeration (CPE). These provide a foundation on the vulnerability and configuration side but self-defending networks need standard data formats and transport protocols for threats like the MITRE Trusted Automated eXchange of Indicator Information (TAXII) and Structured Threat Information eXpression (STIX). It’s likely that some of the Trusted Computing Group (TCG) standards for chain-of-trust, platform authentication, and data exchange will also come into play."

The author concludes the article by stating: "It’s nice to see that the Federal government recognizes this and is willing to push for technology innovation and change. This effort has the potential to bear fruit if the Feds can build security community awareness and push vendors and the commercial market to join the effort."

CVE Mentioned in Article about the OWASP Top 10 Security Flaws for 2013 on NetworkWorld.com

CVE and CWE were mentioned in a section about why web application denial-of-service attacks (DoS) attacks were not included on the OWASP list in quotes by CVE/CWE Technical Lead Steve Christey, as follows: "Regarding application DoS – I don’t know if we should be so dismissive of it. The (negative) commentary I’ve seen on application DoS is concentrating on network-based attacks. (However,) there are other resource-consumption vulnerabilities that are gaining popularity in CVE, such as unrestricted XML entity expansion, a.k.a. "billion laughs" (CWE-776) (that causes a DoS due to) memory consumption. Another example is algorithmic complexity involving hash collisions that slow down hash-table lookups, which was all the rage about a year ago, (that causes a DoS due to) CPU consumption. More recently, Ruby and/or Ruby-based applications have been getting hit with a number of other resource-consumption issues, such as a memory DoS by forcing the creation of a large number of symbols."

Christey continued, "While I don’t know how often these are exploited, and they may be difficult to detect, or how often they’ll be exploited in the future, these kinds of application DoS issues are becoming popular. As code-execution vulnerabilities get harder to find, I suspect we will see more of these. This might not be enough to merit inclusion in the OWASP Top Ten, but is definitely something to watch out for."

CVE Mentioned in Article about Security Automation on GovernmentComputerNews.com

CVE and Open Vulnerability and Assessment Language (OVAL®) are mentioned in a June 17, 2013 article entitled "NIST, DHS push security automation to the next stage" on
GovermentComputerNews.com. The main topic of the article is that automation is the future of network security and how "Agencies face challenges in getting to an automated environment, however, whether because of tight budgets, complex systems or automated tools that don’t necessarily work together. The federal government is supporting the effort by developing the standards that are necessary for interoperable tools and offering intrusion detection and prevention as a service to agencies."

CVE and OVAL are mentioned in a section listing the components of the
U.S. National Institute of Standards and Technology's (NIST) "Security Content Automation Protocol (SCAP), a suite of interoperable specifications developed at the National Institute of Standards and Technology in collaboration with the public- and private-sector security community. Although NIST’s agenda for security automation goes beyond vulnerability management, SCAP in its present form,
Version 1.2, deals primarily with endpoint compliance for configuration requirements. The specifications, contained in
Special Publication 800-126, support automated configuration, vulnerability and patch checking, technical control compliance and security measurement." CVE is mentioned in the article as one of the enumerations used by SCAP as "standard nomenclatures and an official dictionary of items expressed using that nomenclature" and OVAL is mentioned as one of the languages used by SCAP for "expressing security policy, technical check mechanisms and assessment results."

The release also includes a quote by CVE Compatibility Lead Robert A. Martin, who states: "We are always excited about having the CVE and CWE efforts adopted and used within commercial offerings but it is especially gratifying when it is by companies in other countries and markets, like High-Tech Bridge. Leveraging CVE and CWE in ImmuniWeb clearly makes business sense and it is directly helping their customers improve the speed and directness as they address vulnerabilities and weaknesses that are putting their organization’s at risk."

1 Product from High Tech Bridge Now Registered as Officially "CVE-Compatible"

One additional information security product has achieved the final stage of MITRE’s formal
CVE Compatibility Process and is now officially "CVE-Compatible." The product is now eligible to use the CVE-Compatible Product/Service logo, and a completed and reviewed "CVE Compatibility Requirements Evaluation" questionnaire is posted for the product as part of the organization's listing on the
CVE-Compatible Products and Services page on the CVE Web site. A total of
136 products to-date have been recognized as officially compatible.

The following product is now registered as officially "CVE-Compatible":

Use of the official CVE-Compatible logo will allow system administrators and other security professionals to look for the logo when adopting vulnerability management products and services for their enterprises and the compatibility process questionnaire will help end-users compare how different products and services satisfy the CVE compatibility requirements, and therefore which specific implementations are best for their networks and systems.

After discussion with the CVE Editorial Board, MITRE proposed dropping Option C from consideration, and offering a new selection between a slightly modified Option A and the current Option B.

The proposed (new) Option A extends the available numbering space to 8 digits, as opposed to the current 4 digits, or the earlier proposed 6 digits. Together with the unchanged Option B, the new options for consideration are:

The CVE Web site now contains 55,027 unique information security issues with publicly known names. CVE, which began in 1999 with just 321 common names on the CVE List, is considered the international standard for public software vulnerability names. Information security professionals and product vendors from around the world use CVE Identifiers (CVE-IDs) as a standard method for identifying vulnerabilities, and for cross-linking among products, services, and other repositories that use the identifiers.

The widespread adoption of CVE in enterprise security is illustrated by the numerous CVE-Compatible Products and Services in use throughout industry, government, and academia for vulnerability management, vulnerability alerting, intrusion detection, and patch management. Major OS vendors and other organizations from around the world also include CVE-IDs in their security alerts to ensure that the international community benefits by having the identifiers as soon as a problem is announced. In addition, CVE-IDs have been used to identify vulnerabilities in the SANS Top Cyber Security Risks threat list since its inception in 2000.

Each of the 55,000+ identifiers on the CVE List includes the following: CVE Identifier number (read about the upcoming CVE Identifier Syntax Change); brief description of the security vulnerability; and pertinent references such as vulnerability reports and advisories or OVAL-ID. Visit the CVE List page to download the complete list in various formats or to look-up an individual identifier. Fix information and enhanced searching of CVE is available from NVD.

The CVE Editor’s Commentary page includes opinion and commentary about vulnerabilities, software assurance, and related topics by CVE List Editor Steve Christey. Posts are either Community Issues or CVE-Specific.

Discussion topics for the webinar will include: why automation is essential to protect critical network and computing infrastructures, cost-effective strategies for improved secure information-sharing, how to start simplifying network operations, and how network automation and orchestration are essential for seamless workflow management.

MITRE will host a "Strengthening Cyber Defense" booth that includes CVE at InfoSec World Conference & Expo 2013 at Walt Disney World Swan and Dolphin in Orlando, Florida, USA, on April 15-17, 2013. Attendees will learn how information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CVE Team will be in attendance. Please stop by Booth 313 and say hello!

The CVE Editor’s Commentary page includes opinion and commentary about vulnerabilities, software assurance, and related topics by CVE List Editor Steve Christey. Posts are either Community Issues or CVE-Specific.

ALTX-SOFT declared that its repository of Open Vulnerability and Assessment Language (OVAL®) content, ALTX-SOFT Ovaldb, is CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

NetentSec, Inc. Makes Declaration of CVE Compatibility

NetentSec, Inc. declared that its network application security product, Next Generation Firewall (NGFW), will be CVE-Compatible. For additional information about this and other CVE-Compatible products, visit the CVE-Compatible Products and Services section.

MITRE will host a "Strengthening Cyber Defense" booth that includes CVE at RSA Conference 2013 at the Moscone Center in San Francisco, California, USA, on February 25 – March 1, 2013. Attendees will learn how CVE and other information security data standards facilitate both effective security process coordination and the use of automation to assess, manage, and improve the security posture of enterprise security information infrastructures.

Members of the CVE Team will be in attendance. Please stop by Booth 2617 and say hello!

Due to the increasing volume of public vulnerability reports, the Common Vulnerabilities and Exposures (CVE) project will change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The current syntax, CVE-YYYY-NNNN, only supports a maximum of 9,999 unique identifiers per year.

Since a change in the ID syntax will affect many parties including end users and vendors, the CVE project is soliciting feedback from the public before making this change.

The public feedback period will continue through the RSA Conference 2013, being held February 25 - March 1, 2013, where attendees will be able to speak with CVE personnel from MITRE and members of the CVE Editorial Board. After a formal Editorial Board vote, the final selection will be made and the public will be notified, currently planned for March 2013.

The syntax change is scheduled to go into effect on January 1, 2014, so that users will have enough time to change their processes and software to handle the new ID syntax.

With guidance from the CVE Editorial Board, we have identified three options for a new ID syntax, summarized as follows:

MITRE has announced its initial Making Security Measurable calendar of events for 2013. Details regarding MITRE’s scheduled participation at these events are noted on the CVE Calendar page. Each listing includes the event name with URL, date of the event, location, and a description of our activity at the event.